- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to know what are the benefits of using Splunk Add-on for Microsoft Cloud Services over installing the Universal Forwarder directly on the VMs ? do I'll get more/ better information by using Splunk Add-on for Microsoft Cloud Services? if yes, what is the differences?
In addition, if I'll choose to use Splunk Add-on for Microsoft Cloud Services, does my existing Splunk interface will be changed? does the query method will stay the same?
Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.
If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).
The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.
Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response, appreciate your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.
If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).
The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.
Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.
